CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA).
Key recommendations from the white paper:
- Consider contract language that prevents third-parties from selling personal information sold to them unless the consumer has received explicit notice and has been provided the opportunity to exercise their right to opt-out
- Consider expanding cookie opt-out functionality to go beyond Interest Based Advertising/Online Behavioral Advertising
- Geotracking of company vehicles may be considered tracking of consumers
- Conduct process-centric data mapping identifying all internal and external business processes that process personal information and data flows
- Establish a governance program
- Appoint stakeholder(s) to be in charge of CCPA compliance (see photo below for potential candidates)
- Appoint stakeholder(s) to be in charge of data access/deletion requests
- Involve stakeholders from all relevant departments
- Gain buy-in by emphasizing the additional benefits of performing a data mapping/inventory beyond privacy